Maybe somewhat offtopic, but please dont forget to build in some kind of fail-safe for whenever a certificate expires (this can be ca certificate or client certificate). We had this already happen to us that the ca certificate expired and we lost all endpoint agents and had to manually reconfigure all of them to connect again.